{% extends "siem/base.html" %}

{% block sub-title %}Event Documentation | {% endblock %}

{% block content-main %}

<h1>Event Documentation</h1>

<hr>

<a name="logevent"></a>
<h2>Anatomy of a Log Event</h2>
<p>Log events have the following attributes that can be parsed using parser fields:</p>

<table>
    <tr><th>Attribute<br>Name</th><th>Description</th></tr>
    <tr><td>date_stamp</td><td>A string representing the date stamp.</td></tr>
    <tr><td>log_source</td><td>The log source from which the event originated.</td></tr>
    <tr><td>facility</td><td>The syslog facility of the event (0-23).</td></tr>
    <tr><td>severity</td><td>The syslog severity of the event (0-7).</td></tr>
    <tr><td>aggregated_events</td><td>The number of aggregated events represented.</td></tr>
    <tr><td>source_host</td><td>The source host (IP, FQDN, etc).</td></tr>
    <tr><td>source_port</td><td>The source port (i.e. 443, https, smtp, etc).</td></tr>
    <tr><td>dest_host</td><td>The destination host.</td></tr>
    <tr><td>dest_port</td><td>The destination port.</td></tr>
    <tr><td>source_process</td><td>The source process.</td></tr>
    <tr><td>source_pid</td><td>The source process ID.</td></tr>
    <tr><td>action</td><td>The action being taken.</td></tr>
    <tr><td>command</td><td>The command being executed.</td></tr>
    <tr><td>protocol</td><td>The protocol involved in the event (ssh, https, etc).</td></tr>
    <tr><td>packet_count</td><td>The number of packets involved (for flows).</td></tr>
    <tr><td>byte_count</td><td>The number of bytes involved.</td></tr>
    <tr><td>tcp_flags</td><td>The TCP flags (an integer).</td></tr>
    <tr><td>class_of_service</td><td>The ToS (type of service) field (an integer).</td></tr>
    <tr><td>interface</td><td>The network interface involved.</td></tr>
    <tr><td>status</td><td>The status (interface status, http status code, etc).</td></tr>
    <tr><td>start_time</td><td>A string representing the start time (for flows, videos, motion sensor events).</td></tr>
    <tr><td>duration</td><td>A string representing the duration.</td></tr>
    <tr><td>source_user</td><td>The user who initiated the event.</td></tr>
    <tr><td>target_user</td><td>The user targeted in the event.</td></tr>
    <tr><td>sessionid</td><td>The session ID of the session involved in the event.</td></tr>
    <tr><td>Path</td><td>The URI or file path.</td></tr>
    <tr><td>Parameters</td><td>The parameters (web server logs, etc).</td></tr>
    <tr><td>Referrer</td><td>The referrer ( web server logs, etc).</td></tr>
    <tr><td>message</td><td>The message conveyed.</td></tr>
    <tr><td>ext0</td><td>A field meant to be defined by the user.</td></tr>
    <tr><td>ext1</td><td>A field meant to be defined by the user.</td></tr>
    <tr><td>ext2</td><td>A field meant to be defined by the user.</td></tr>
    <tr><td>ext3</td><td>A field meant to be defined by the user.</td></tr>
    <tr><td>ext4</td><td>A field meant to be defined by the user.</td></tr>
    <tr><td>ext5</td><td>A field meant to be defined by the user.</td></tr>
    <tr><td>ext6</td><td>A field meant to be defined by the user.</td></tr>
    <tr><td>ext7</td><td>A field meant to be defined by the user.</td></tr>
</table>
<br>
<p>In addition, log events have the following fields that are not defined by the parser and parse helpers:</p>
<table>
    <tr><th>Attribute<br>Name</th><th>Description</th></tr>
    <tr><td>parsed_at</td><td>The time the event was parsed (a datetime object, with 6 decimal places).</td></tr>
    <tr><td>time_zone</td><td>The time zone associated with the parsed_at datetime object.</td></tr>
    <tr><td>parsed_on</td><td>The hostname of the system on which the event was parsed.</td></tr>
    <tr><td>source_path</td><td>The full path of the file from which the event originated.</td></tr>
    <tr><td>event_type</td><td>The event type defined by the parser configuration.</td></tr>
    <tr><td>eol_date_local</td><td>Event end-of-life date in the LogESP database.</td></tr>
    <tr><td>eol_date_backup</td><td>Event end-of-life date for backup copies.</td></tr>
    <tr><td>raw_text</td><td>The entire raw text of the event.</td></tr>
</table>

<hr>

<a name="ruleevent"></a>
<h2>Anatomy of a Rule Event</h2>
<p>Rule events have the following attributes:</p>

<table>
    <tr><th>Attribute<br>Name</th><th>Description</th></tr>
    <tr><td>date_stamp</td><td>A datetime object representing the rule event was created.</td></tr>
    <tr><td>time_zone</td><td>The time zone associated with the date_stamp datetime object.</td></tr>
    <tr><td>source_rule</td><td>The rule that created the event.</td></tr>
    <tr><td>rule_category</td><td>The rule category of the rule broken.</td></tr>
    <tr><td>event_type</td><td>The event type being monitored by the rule.</td></tr>
    <tr><td>severity</td><td>The severity of the rule.</td></tr>
    <tr><td>event_limit</td><td>The event limit for the rule.</td></tr>
    <tr><td>event_count</td><td>The number of events involved.</td></tr>
    <tr><td>magnitude</td><td>The magnitude of the rule event.</td></tr>
    <tr><td>time_int</td><td>The time interval at which the rule is checked.</td></tr>
    <tr><td>source_ids_log</td><td>The source IDs of the log events involved.</td></tr>
    <tr><td>source_ids_rule</td><td>The source IDs of the rule events involved.</td></tr>
    <tr><td>log_source_count</td><td>The number of different log sources involved.</td></tr>
    <tr><td>source_host_count</td><td>The number of different source hosts involved.</td></tr>
    <tr><td>dest_host_count</td><td>The number of different destination hosts involved.</td></tr>
    <tr><td>message</td><td>The message conveyed by the rule.</td></tr>
    <tr><td>eol_date_local</td><td>Event end-of-life date in the LogESP database</td></tr>
    <tr><td>eol_date_backup</td><td>Event end-of-life date for backup copies</td></tr>
</table>

<p>For more on how magnitude is calculated, see the <a href="{% url 'siem:rule_help' %}">rule documentation</a>.</p>

{% endblock %}
